Paid Advertising
web application security lab

Challenge Round 2

Okay, it’s time for the second round of the challenge. If you remember last time I didn’t do a particularly good job of giving people a head’s up that the challenge was happening. This time I’m giving you lots of warning. I also made it harder in a few small ways. id thinks it’s way harder, but we’ll see, I have a feeling it’ll be solved pretty quickly (it can theoretically be solved in under 5 minutes if you already knew how to solve it). Here is the exact time it will start. Please make sure you do the correct conversions into whatever timezone you are in:

Monday August 20th at 1PM Pacific Time (4PM Eastern Time).

This time I’ll be focusing less on HTTP and a lot more on “states”. That’s your one and only hint. When the clock strikes, I’ll remove the htaccess file and you’ll find the challenge sitting here. Feel free to use the forum to chat amongst yourselves before/during/after the challenge. id and I still haven’t come to agreement on the prizes, but if anyone wants to sponsor the challenge and give away some shwag, let me know. Otherwise it might be more tee-shirts since we still have a box full of them that we’ll need to give away at some point or another.

Again, the rules of the challenge and the directions are part of what you need to find. There are lots of things going on, and I tried to build on the same framework as last time, so having some familiarity with the last test might help you (or it might not). Either way, it’s tough, and requires work, so good luck to anyone who attempts it. For those of you who couldn’t figure out the last one, don’t bother with this one, this one uses many of the same principles. I hope you guys like it - we are already coming up with some pretty out of the box ideas for the next one.

18 Responses to “Challenge Round 2”

  1. Jordan Says:

    Sweet! No excuse for me this time… ;-)

    *goes off to put an alert in his calendar*

  2. RSnake Says:

    I’m surprised there hasn’t been any trash talking yet! Anyone taking bets?

  3. Sid Says:

    Damnit, I’ll be in Beijing seeing the sights, no time for the challenge.

  4. Tadaka Says:

    Ack! And I have a phone interview 30 minutes after it starts!! Oh well, I’ll do it anyway just for fun.

  5. verT!c4L Says:

    Iīll try it too, although i might go the lowest skill here.

  6. Spider Says:

    I really shouldn’t work on it at work. It would be nice if the start time was moved closer to 5 pm Pacific or over the weekend. Don’t worry about it vert!c4L, I thought the last one would have been more difficult than it actually was. I found 3/4 clues after the contest was over. Nothing to brag about but I’m don’t have the http rfc memorized.

    Hopefully the next one will require some more lateral thinking.

    Maybe something that will require more than ten F*cking days?

  7. RSnake Says:

    I know, I know, the timing was the hardest thing to figure out. I was going to do it tonight, but then people would bitch that it was Friday night and they have significant others who they have been ignoring all week (computer people like to pretend that people love them). No one wants to do more work on the weekend. Nights are for MMORPGs and relaxing to re-runs of the Simpsons.

    That leaves us normal working hours. But remember only part of the readers of this site are in the US. For the other part it’s in the evening or morning or whatever. So no time is ideal. The reason I picked the middle of the day was purely for the people who wanted a distraction from work. For all others, you can do it at your leisure, you just won’t win a prize. ;)

  8. Spider Says:

    Right, right. Maybe I should just write a script to solve the challenge while I continue to work. I could automate the most basic of things to cut down on possibilities, so I have a head start once I can actually find time to do look at it.

    Insightful comment on the use of our spare time. I prefer wailing on my guitar to MMORPG’s and Futurama to Simpsons. But otherwise… dead on.

  9. zeno Says:

    “Iím surprised there hasnít been any trash talking yet! Anyone taking bets?”

    Ok I’ll do some trash talking if you insist! First the boards have turned into a johnnyihackstuff venue (google dorks), and now you’re turning into cyberarmy with these challenges. What has happened to hackers RSnake!


  10. RSnake Says:

    @Zeno - no no, trash talk _other_ people! Eesh! Honestly, what happened to hackers was that I was getting bored of the format and the drama, and I started having fun again. That’s what this was for after all. Fun and sharing information on how to break stuff. I know it’ll blow everyone’s mind but I actually did responsible disclosure yesterday. Crazy, I know. I am just tired of the drama that comes when I publically out companies. I’d rather focus on the important stuff.

  11. thornmaker Says:

    as long as i beat jordan, i’ll be happy

  12. ChosenOne Says:

    I used to make challenges like this one for a group of friends on IRC, but thematically more on tcp/ip, crypto-stuff than html/xss/javascript.
    I’m curious how it’s gonna be - don’t know whether I will check it out in time or deal with it later on.
    Good luck to all competitors ;)

  13. trash Says:

    I don’t manage to convert that in my time zone…
    Which time will be in Germany/Berlin?
    Thank you very much

  14. RSnake Says:

    If you can’t figure out how to convert EST or PST into your local timezone, this challenge is probably not for you. But in the off chance that is your one internet technology deficiency it’s about 3 hours and 45 minutes from now.

  15. RSnake Says:

    Oh, and I’ll be using NTP, but I may be off by a few seconds.

  16. trash Says:


  17. Chris Says:


  18. Tyler Reguly Says:

    It’s so close I can taste it :)

    I’m looking forward to this one..